Hi, I've been successfully using DenyHosts for quite a while, but I've repeatedly hit a problem that happens during logrotate.
Here's what's going on: * On July 27 04:02 /var/log/secure and /var/log/denyhosts were rotated * Upon restart, DenyHosts suddenly blocked two hosts: 2008-07-27 04:02:32,115 - denyhosts : INFO Processing log file (/var/log/secure) from offset (0) 2008-07-27 04:02:58,017 - denyhosts : INFO new denied hosts: ['WWW.XXX.YYY.ZZZ', 'SSS.TTT.UUU.VVV'] 2008-07-27 04:02:58,078 - denyhosts : INFO launching DenyHosts daemon (version 2.6)... * Here is what I found in /var/log/secure and in the WORK_DIR: grep SSS.TTT.UUU.VVV /var/log/secure* /var/log/secure.1:Jul 23 08:14:09 host sshd[29556]: Did not receive identification string from SSS.TTT.UUU.VVV /var/log/secure.1:Jul 23 09:17:37 host sshd[30966]: Illegal user admin from SSS.TTT.UUU.VVV /var/log/secure.1:Jul 23 09:17:37 host sshd(pam_unix)[30966]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=SSS.TTT.UUU.VVV /var/log/secure.1:Jul 23 09:17:39 host sshd[30966]: Failed password for illegal user admin from SSS.TTT.UUU.VVV port 50275 ssh2 /var/log/secure.1:Jul 23 09:17:42 host sshd[30971]: Failed password for root from SSS.TTT.UUU.VVV port 50445 ssh2 /var/log/secure.1:Jul 23 09:17:45 host sshd[30974]: Illegal user stud from SSS.TTT.UUU.VVV /var/log/secure.1:Jul 23 09:18:10 host sshd(pam_unix)[30974]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=SSS.TTT.UUU.VVV /var/log/secure.1:Jul 23 09:18:13 host sshd[30974]: Failed password for illegal user stud from SSS.TTT.UUU.VVV port 50531 ssh2 grep SSS.TTT.UUU.VVV /usr/local/share/denyhosts/data/* /usr/local/share/denyhosts/data/hosts:SSS.TTT.UUU.VVV:10:Sun Jul 27 04:02:32 2008 /usr/local/share/denyhosts/data/hosts-restricted:SSS.TTT.UUU.VVV:0:Wed Jul 23 08:14:30 2008 /usr/local/share/denyhosts/data/hosts-root:SSS.TTT.UUU.VVV:2:Sun Jul 27 04:02:32 2008 /usr/local/share/denyhosts/data/hosts-valid:SSS.TTT.UUU.VVV:0:Wed Jul 23 08:14:30 2008 /usr/local/share/denyhosts/data/users-hosts:root - SSS.TTT.UUU.VVV:2:Sun Jul 27 04:02:32 2008 * So DenyHosts claims that there was a login attempt of SSS.TTT.UUU.VVV at the time of when logrotate ran, which doesn't seem to be true. This is really bad and I don't understand what is going on and I fear that legitimate IPs get blocked. * I don't have any custom regexps in my DenyHosts config. Can somebody shed a little light on this problem? If more info is required to track this down, please let me know. Cheers, Andreas ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
